What if Netflix Put as Much Energy into Vendor Risk Assessments as They Do on Movie Reviews?

netflix-vendor-review

Earlier this month, Netflix discovered something that Financial Services & Healthcare organizations already knew; you’re only as secure as your most insecure partner.  A hacker published ten upcoming episodes of the new season of the Netflix show, “Orange is the New Black.” The cyberattack was conducted on Netflix via their post-production vendor, Larson Studio. The hackers also claimed to have unaired footage from studios like ABC and Fox.

 

Some industries, like Financial Services and Healthcare are heavily regulated. Others don’t have the same burden. Therefore, industries like the Media have fallen behind the curve on vendor risk management programs.

 

An iconic image of Hollywood’s Golden Age is the massive front gates of the studios where guards manually checked off visitors from a list on their clipboard. But modern Hollywood is more silicon than celluloid. Hackers don’t wait at the gate to be let in; they brute force entry into the networks of studios and their trusted third parties.  Even as major studios start embracing a mature information security program, there is typically a significant lag time for their vendors.

 

So why is vendor risk management such a challenge for organizations? The short answer is: vendor assessments are labor intensive, inefficient and time consuming. A recent Rsam survey taken during a webinar about vendor risk revealed that 50% of respondents said they assess less than 15% of their vendors, leaving a large risk gap.  Many companies are conducting hundreds of assessments a year via email requests, manual surveys and Excel spreadsheets. Given this manual process they’re only able to assess a small percentage of their vendor ecosystem. A big step forward for any company is to automate the entire assessment process from data gathering, notifications, risk scoring, analysis and remediation.  Undoubtedly, Netflix wishes they knew their vendors like they know their programs — you don’t want spoilers for either.